1. 28 1月, 2021 40 次提交
    • L
      nvme: avoid possible double fetch in handling CQE · 0aaccf1e
      Lalithambika Krishnakumar 提交于
      stable inclusion
      from stable-5.10.9
      commit 74310d40e0a41483dc7125347a9ccc249655fd85
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 62df8016 ]
      
      While handling the completion queue, keep a local copy of the command id
      from the DMA-accessible completion entry. This silences a time-of-check
      to time-of-use (TOCTOU) warning from KF/x[1], with respect to a
      Thunderclap[2] vulnerability analysis. The double-read impact appears
      benign.
      
      There may be a theoretical window for @command_id to be used as an
      adversary-controlled array-index-value for mounting a speculative
      execution attack, but that mitigation is saved for a potential follow-on.
      A man-in-the-middle attack on the data payload is out of scope for this
      analysis and is hopefully mitigated by filesystem integrity mechanisms.
      
      [1] https://github.com/intel/kernel-fuzzer-for-xen-project
      [2] http://thunderclap.io/thunderclap-paper-ndss2019.pdfSigned-off-by: NLalithambika Krishna Kumar <lalithambika.krishnakumar@intel.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      0aaccf1e
    • G
      nvme-pci: mark Samsung PM1725a as IGNORE_DEV_SUBNQN · c2ff532d
      Gopal Tiwari 提交于
      stable inclusion
      from stable-5.10.9
      commit afc0002f639683ae98c337b272732fb47ff7ed31
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 7ee5c78c ]
      
      A system with more than one of these SSDs will only have one usable.
      Hence the kernel fails to detect nvme devices due to duplicate cntlids.
      
      [    6.274554] nvme nvme1: Duplicate cntlid 33 with nvme0, rejecting
      [    6.274566] nvme nvme1: Removing after probe failure status: -22
      
      Adding the NVME_QUIRK_IGNORE_DEV_SUBNQN quirk to resolves the issue.
      Signed-off-by: NGopal Tiwari <gtiwari@redhat.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      c2ff532d
    • P
      selftests: fix the return value for UDP GRO test · 6a0bb69b
      Po-Hsu Lin 提交于
      stable inclusion
      from stable-5.10.9
      commit 1151161dd029a7d736ffffa356a837441b47e515
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 3503ee6c ]
      
      The udpgro.sh will always return 0 (unless the bpf selftest was not
      build first) even if there are some failed sub test-cases.
      
      Therefore the kselftest framework will report this case is OK.
      
      Check and return the exit status of each test to make it easier to
      spot real failures.
      Signed-off-by: NPo-Hsu Lin <po-hsu.lin@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      6a0bb69b
    • M
      net: ethernet: fs_enet: Add missing MODULE_LICENSE · 20cd72e6
      Michael Ellerman 提交于
      stable inclusion
      from stable-5.10.9
      commit 2e1939396c77090d9be8f44a66fc7055acd122ec
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 445c6198 ]
      
      Since commit 1d6cd392 ("modpost: turn missing MODULE_LICENSE()
      into error") the ppc32_allmodconfig build fails with:
      
        ERROR: modpost: missing MODULE_LICENSE() in drivers/net/ethernet/freescale/fs_enet/mii-fec.o
        ERROR: modpost: missing MODULE_LICENSE() in drivers/net/ethernet/freescale/fs_enet/mii-bitbang.o
      
      Add the missing MODULE_LICENSEs to fix the build. Both files include a
      copyright header indicating they are GPL v2.
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      20cd72e6
    • A
      misdn: dsp: select CONFIG_BITREVERSE · f7d0fd0f
      Arnd Bergmann 提交于
      stable inclusion
      from stable-5.10.9
      commit 8bd59057edf531d241979f458915d4d9cd5df359
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 51049bd9 ]
      
      Without this, we run into a link error
      
      arm-linux-gnueabi-ld: drivers/isdn/mISDN/dsp_audio.o: in function `dsp_audio_generate_law_tables':
      (.text+0x30c): undefined reference to `byte_rev_table'
      arm-linux-gnueabi-ld: drivers/isdn/mISDN/dsp_audio.o:(.text+0x5e4): more undefined references to `byte_rev_table' follow
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      f7d0fd0f
    • R
      arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC · 936e55b5
      Randy Dunlap 提交于
      stable inclusion
      from stable-5.10.9
      commit bb3700925c19d9e71668a3eacee05633542a2ac5
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 8a48c0a3 ]
      
      fs/dax.c uses copy_user_page() but ARC does not provide that interface,
      resulting in a build error.
      
      Provide copy_user_page() in <asm/page.h>.
      
      ../fs/dax.c: In function 'copy_cow_page_dax':
      ../fs/dax.c:702:2: error: implicit declaration of function 'copy_user_page'; did you mean 'copy_to_user_page'? [-Werror=implicit-function-declaration]
      Reported-by: Nkernel test robot <lkp@intel.com>
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: Vineet Gupta <vgupta@synopsys.com>
      Cc: linux-snps-arc@lists.infradead.org
      Cc: Dan Williams <dan.j.williams@intel.com>
      #Acked-by: Vineet Gupta <vgupta@synopsys.com> # v1
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Jan Kara <jack@suse.cz>
      Cc: linux-fsdevel@vger.kernel.org
      Cc: linux-nvdimm@lists.01.org
      #Reviewed-by: Ira Weiny <ira.weiny@intel.com> # v2
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      936e55b5
    • J
      bfq: Fix computation of shallow depth · dabe9585
      Jan Kara 提交于
      stable inclusion
      from stable-5.10.9
      commit 7fdaca86fc9b853c44e0104919989b6cb387cdc2
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 6d4d2735 ]
      
      BFQ computes number of tags it allows to be allocated for each request type
      based on tag bitmap. However it uses 1 << bitmap.shift as number of
      available tags which is wrong. 'shift' is just an internal bitmap value
      containing logarithm of how many bits bitmap uses in each bitmap word.
      Thus number of tags allowed for some request types can be far to low.
      Use proper bitmap.depth which has the number of tags instead.
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      dabe9585
    • P
      io_uring: drop file refs after task cancel · a15af68d
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.9
      commit 94dbb87fc0b25285a0eba2350f77316063151be5
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit de7f1d9e ]
      
      io_uring fds marked O_CLOEXEC and we explicitly cancel all requests
      before going through exec, so we don't want to leave task's file
      references to not our anymore io_uring instances.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      a15af68d
    • X
      spi: fix the divide by 0 error when calculating xfer waiting time · 50eab22e
      Xu Yilun 提交于
      stable inclusion
      from stable-5.10.9
      commit 501e1875da3237a876f8d09e1a286ec2ff83d4fe
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 6170d077 ]
      
      The xfer waiting time is the result of xfer->len / xfer->speed_hz. This
      patch makes the assumption of 100khz xfer speed if the xfer->speed_hz is
      not assigned and stays 0. This avoids the divide by 0 issue and ensures
      a reasonable tolerant waiting time.
      Signed-off-by: NXu Yilun <yilun.xu@intel.com>
      Link: https://lore.kernel.org/r/1609723749-3557-1-git-send-email-yilun.xu@intel.comSigned-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      50eab22e
    • M
      kconfig: remove 'kvmconfig' and 'xenconfig' shorthands · 0d55aab2
      Masahiro Yamada 提交于
      stable inclusion
      from stable-5.10.9
      commit 17a08680ab6a6c057949cb48c352933e09ea377a
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 9bba03d4 ]
      
      Linux 5.10 is out. Remove the 'kvmconfig' and 'xenconfig' shorthands
      as previously announced.
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      0d55aab2
    • J
      lib/raid6: Let $(UNROLL) rules work with macOS userland · 1ee75828
      John Millikin 提交于
      stable inclusion
      from stable-5.10.9
      commit 2aa134d9abca5f31f09e3ad7610dd08b28c42b0a
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 0c36d88c ]
      
      Older versions of BSD awk are fussy about the order of '-v' and '-f'
      flags, and require a space after the flag name. This causes build
      failures on platforms with an old awk, such as macOS and NetBSD.
      
      Since GNU awk and modern versions of BSD awk (distributed with
      FreeBSD/OpenBSD) are fine with either form, the definition of
      'cmd_unroll' can be trivially tweaked to let the lib/raid6 Makefile
      work with both old and new awk flag dialects.
      Signed-off-by: NJohn Millikin <john@john-millikin.com>
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      1ee75828
    • U
      hwmon: (pwm-fan) Ensure that calculation doesn't discard big period values · 207b2eae
      Uwe Kleine-König 提交于
      stable inclusion
      from stable-5.10.9
      commit 3163d7c1fbd32d96d242557ad443fe595a9ee281
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 1eda5233 ]
      
      With MAX_PWM being defined to 255 the code
      
      	unsigned long period;
      	...
      	period = ctx->pwm->args.period;
      	state.duty_cycle = DIV_ROUND_UP(pwm * (period - 1), MAX_PWM);
      
      calculates a too small value for duty_cycle if the configured period is
      big (either by discarding the 64 bit value ctx->pwm->args.period or by
      overflowing the multiplication). As this results in a too slow fan and
      so maybe an overheating machine better be safe than sorry and error out
      in .probe.
      Signed-off-by: NUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Link: https://lore.kernel.org/r/20201215092031.152243-1-u.kleine-koenig@pengutronix.deSigned-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      207b2eae
    • D
      habanalabs: Fix memleak in hl_device_reset · dc0814d3
      Dinghao Liu 提交于
      stable inclusion
      from stable-5.10.9
      commit 8c3520e21f6b048901534463233d7aa73900a112
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit b000700d ]
      
      When kzalloc() fails, we should execute hl_mmu_fini()
      to release the MMU module. It's the same when
      hl_ctx_init() fails.
      Signed-off-by: NDinghao Liu <dinghao.liu@zju.edu.cn>
      Reviewed-by: NOded Gabbay <ogabbay@kernel.org>
      Signed-off-by: NOded Gabbay <ogabbay@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      dc0814d3
    • X
      spi: altera: fix return value for altera_spi_txrx() · 75f7b7d8
      Xu Yilun 提交于
      stable inclusion
      from stable-5.10.9
      commit 78755373aa48eb50367bcb674f99fdb79e236bff
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit ede090f5 ]
      
      This patch fixes the return value for altera_spi_txrx. It should return
      1 for interrupt transfer mode, and return 0 for polling transfer mode.
      
      The altera_spi_txrx() implements the spi_controller.transfer_one
      callback. According to the spi-summary.rst, the transfer_one should
      return 0 when transfer is finished, return 1 when transfer is still in
      progress.
      Signed-off-by: NXu Yilun <yilun.xu@intel.com>
      Link: https://lore.kernel.org/r/1609219662-27057-2-git-send-email-yilun.xu@intel.comSigned-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      75f7b7d8
    • C
      staging: spmi: hisi-spmi-controller: Fix some error handling paths · f02c21ee
      Christophe JAILLET 提交于
      stable inclusion
      from stable-5.10.9
      commit 560e9b900e12781706b686e7aa40fb59c9fa5dcb
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 12b38ea0 ]
      
      IN the probe function, if an error occurs after calling
      'spmi_controller_alloc()', it must be undone by a corresponding
      'spmi_controller_put() call.
      
      In the remove function, use 'spmi_controller_put(ctrl)' instead of
      'kfree(ctrl)'.
      
      While a it fix an error message
      (s/spmi_add_controller/spmi_controller_add/)
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Link: https://lore.kernel.org/r/20201213151105.137731-1-christophe.jaillet@wanadoo.frSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      f02c21ee
    • O
      habanalabs: register to pci shutdown callback · fb1b67b1
      Oded Gabbay 提交于
      stable inclusion
      from stable-5.10.9
      commit c78cff56baad24ebb10d748e1a1b78bae203debe
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit fcaebc73 ]
      
      We need to make sure our device is idle when rebooting a virtual
      machine. This is done in the driver level.
      
      The firmware will later handle FLR but we want to be extra safe and
      stop the devices until the FLR is handled.
      Signed-off-by: NOded Gabbay <ogabbay@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      fb1b67b1
    • O
      habanalabs/gaudi: retry loading TPC f/w on -EINTR · a631df0d
      Oded Gabbay 提交于
      stable inclusion
      from stable-5.10.9
      commit 68a9abf536ff3c54b80983780315d8426da43125
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 98e8781f ]
      
      If loading the firmware file for the TPC f/w was interrupted, try
      to do it again, up to 5 times.
      Signed-off-by: NOded Gabbay <ogabbay@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      a631df0d
    • O
      habanalabs: adjust pci controller init to new firmware · 0a01aece
      Oded Gabbay 提交于
      stable inclusion
      from stable-5.10.9
      commit 8d0522d9688c787b33fa2dca17ee298829fafaba
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 377182a3 ]
      
      When the firmware security is enabled, the pcie_aux_dbi_reg_addr
      register in the PCI controller is blocked. Therefore, ignore
      the result of writing to this register and assume it worked. Also
      remove the prints on errors in the internal ELBI write function.
      
      If the security is enabled, the firmware is responsible for setting
      this register correctly so we won't have any problem.
      
      If the security is disabled, the write will work (unless something
      is totally broken at the PCI level and then the whole sequence
      will fail).
      
      In addition, remove a write to register pcie_aux_dbi_reg_addr+4,
      which was never actually needed.
      
      Moreover, PCIE_DBI registers are blocked to access from host when
      firmware security is enabled. Use a different register to flush the
      writes.
      Signed-off-by: NOded Gabbay <ogabbay@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      0a01aece
    • L
      ARM: dts: ux500/golden: Set display max brightness · 8c0a6771
      Linus Walleij 提交于
      stable inclusion
      from stable-5.10.9
      commit 06b0d83b33b5b06e4228c56abbe32fb754813e8d
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 7887cc89 ]
      
      A too high brightness by default (default is max) makes the
      screen go blank. Set this to 15 as in the Vendor tree.
      Signed-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Cc: Stephan Gerhold <stephan@gerhold.net>
      Link: https://lore.kernel.org/r/20201214223413.253893-1-linus.walleij@linaro.org'
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      8c0a6771
    • R
      ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram · 4e67d219
      Rasmus Villemoes 提交于
      stable inclusion
      from stable-5.10.9
      commit d5285a5eb3da527509a4b29b9d5aa03e99277bd8
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 887078de ]
      
      Table 8-53 in the QUICC Engine Reference manual shows definitions of
      fields up to a size of 192 bytes, not just 128. But in table 8-111,
      one does find the text
      
        Base Address of the Global Transmitter Parameter RAM Page. [...]
        The user needs to allocate 128 bytes for this page. The address must
        be aligned to the page size.
      
      I've checked both rev. 7 (11/2015) and rev. 9 (05/2018) of the manual;
      they both have this inconsistency (and the table numbers are the
      same).
      
      Adding a bit of debug printing, on my board the struct
      ucc_geth_tx_global_pram is allocated at offset 0x880, while
      the (opaque) ucc_geth_thread_data_tx gets allocated immediately
      afterwards, at 0x900. So whatever the engine writes into the thread
      data overlaps with the tail of the global tx pram (and devmem says
      that something does get written during a simple ping).
      
      I haven't observed any failure that could be attributed to this, but
      it seems to be the kind of thing that would be extremely hard to
      debug. So extend the struct definition so that we do allocate 192
      bytes.
      Signed-off-by: NRasmus Villemoes <rasmus.villemoes@prevas.dk>
      Signed-off-by: NJakub Kicinski <kuba@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      4e67d219
    • G
      regulator: bd718x7: Add enable times · 7059cb26
      Guido Günther 提交于
      stable inclusion
      from stable-5.10.9
      commit 36afeaad76711ff80c2dc57450ad9c5f2f382b41
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 3b66e4a8 ]
      
      Use the typical startup times from the data sheet so boards get a
      reasonable default. Not setting any enable time can lead to board hangs
      when e.g. clocks are enabled too soon afterwards.
      
      This fixes gpu power domain resume on the Librem 5.
      
      [Moved #defines into driver, seems to be general agreement and avoids any
      cross tree issues -- broonie]
      Signed-off-by: NGuido Günther <agx@sigxcpu.org>
      Reviewed-by: NMatti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
      Link: https://lore.kernel.org/r/41fb2ed19f584f138336344e2297ae7301f72b75.1608316658.git.agx@sigxcpu.orgSigned-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      7059cb26
    • F
      btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan · bcda164f
      Filipe Manana 提交于
      stable inclusion
      from stable-5.10.9
      commit 29543864c8b8d58e30ba1bc2feb99191f7971abb
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit cb13eea3 ]
      
      If we remount a filesystem in RO mode while the qgroup rescan worker is
      running, we can end up having it still running after the remount is done,
      and at unmount time we may end up with an open transaction that ends up
      never getting committed. If that happens we end up with several memory
      leaks and can crash when hardware acceleration is unavailable for crc32c.
      Possibly it can lead to other nasty surprises too, due to use-after-free
      issues.
      
      The following steps explain how the problem happens.
      
      1) We have a filesystem mounted in RW mode and the qgroup rescan worker is
         running;
      
      2) We remount the filesystem in RO mode, and never stop/pause the rescan
         worker, so after the remount the rescan worker is still running. The
         important detail here is that the rescan task is still running after
         the remount operation committed any ongoing transaction through its
         call to btrfs_commit_super();
      
      3) The rescan is still running, and after the remount completed, the
         rescan worker started a transaction, after it finished iterating all
         leaves of the extent tree, to update the qgroup status item in the
         quotas tree. It does not commit the transaction, it only releases its
         handle on the transaction;
      
      4) A filesystem unmount operation starts shortly after;
      
      5) The unmount task, at close_ctree(), stops the transaction kthread,
         which had not had a chance to commit the open transaction since it was
         sleeping and the commit interval (default of 30 seconds) has not yet
         elapsed since the last time it committed a transaction;
      
      6) So after stopping the transaction kthread we still have the transaction
         used to update the qgroup status item open. At close_ctree(), when the
         filesystem is in RO mode and no transaction abort happened (or the
         filesystem is in error mode), we do not expect to have any transaction
         open, so we do not call btrfs_commit_super();
      
      7) We then proceed to destroy the work queues, free the roots and block
         groups, etc. After that we drop the last reference on the btree inode
         by calling iput() on it. Since there are dirty pages for the btree
         inode, corresponding to the COWed extent buffer for the quotas btree,
         btree_write_cache_pages() is invoked to flush those dirty pages. This
         results in creating a bio and submitting it, which makes us end up at
         btrfs_submit_metadata_bio();
      
      8) At btrfs_submit_metadata_bio() we end up at the if-then-else branch
         that calls btrfs_wq_submit_bio(), because check_async_write() returned
         a value of 1. This value of 1 is because we did not have hardware
         acceleration available for crc32c, so BTRFS_FS_CSUM_IMPL_FAST was not
         set in fs_info->flags;
      
      9) Then at btrfs_wq_submit_bio() we call btrfs_queue_work() against the
         workqueue at fs_info->workers, which was already freed before by the
         call to btrfs_stop_all_workers() at close_ctree(). This results in an
         invalid memory access due to a use-after-free, leading to a crash.
      
      When this happens, before the crash there are several warnings triggered,
      since we have reserved metadata space in a block group, the delayed refs
      reservation, etc:
      
        ------------[ cut here ]------------
        WARNING: CPU: 4 PID: 1729896 at fs/btrfs/block-group.c:125 btrfs_put_block_group+0x63/0xa0 [btrfs]
        Modules linked in: btrfs dm_snapshot dm_thin_pool (...)
        CPU: 4 PID: 1729896 Comm: umount Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        RIP: 0010:btrfs_put_block_group+0x63/0xa0 [btrfs]
        Code: f0 01 00 00 48 39 c2 75 (...)
        RSP: 0018:ffffb270826bbdd8 EFLAGS: 00010206
        RAX: 0000000000000001 RBX: ffff947ed73e4000 RCX: ffff947ebc8b29c8
        RDX: 0000000000000001 RSI: ffffffffc0b150a0 RDI: ffff947ebc8b2800
        RBP: ffff947ebc8b2800 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000001 R12: ffff947ed73e4110
        R13: ffff947ed73e4160 R14: ffff947ebc8b2988 R15: dead000000000100
        FS:  00007f15edfea840(0000) GS:ffff9481ad600000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f37e2893320 CR3: 0000000138f68001 CR4: 00000000003706e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         btrfs_free_block_groups+0x17f/0x2f0 [btrfs]
         close_ctree+0x2ba/0x2fa [btrfs]
         generic_shutdown_super+0x6c/0x100
         kill_anon_super+0x14/0x30
         btrfs_kill_super+0x12/0x20 [btrfs]
         deactivate_locked_super+0x31/0x70
         cleanup_mnt+0x100/0x160
         task_work_run+0x68/0xb0
         exit_to_user_mode_prepare+0x1bb/0x1c0
         syscall_exit_to_user_mode+0x4b/0x260
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f15ee221ee7
        Code: ff 0b 00 f7 d8 64 89 01 48 (...)
        RSP: 002b:00007ffe9470f0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
        RAX: 0000000000000000 RBX: 00007f15ee347264 RCX: 00007f15ee221ee7
        RDX: ffffffffffffff78 RSI: 0000000000000000 RDI: 000056169701d000
        RBP: 0000561697018a30 R08: 0000000000000000 R09: 00007f15ee2e2be0
        R10: 000056169701efe0 R11: 0000000000000246 R12: 0000000000000000
        R13: 000056169701d000 R14: 0000561697018b40 R15: 0000561697018c60
        irq event stamp: 0
        hardirqs last  enabled at (0): [<0000000000000000>] 0x0
        hardirqs last disabled at (0): [<ffffffff8bcae560>] copy_process+0x8a0/0x1d70
        softirqs last  enabled at (0): [<ffffffff8bcae560>] copy_process+0x8a0/0x1d70
        softirqs last disabled at (0): [<0000000000000000>] 0x0
        ---[ end trace dd74718fef1ed5c6 ]---
        ------------[ cut here ]------------
        WARNING: CPU: 2 PID: 1729896 at fs/btrfs/block-rsv.c:459 btrfs_release_global_block_rsv+0x70/0xc0 [btrfs]
        Modules linked in: btrfs dm_snapshot dm_thin_pool (...)
        CPU: 2 PID: 1729896 Comm: umount Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        RIP: 0010:btrfs_release_global_block_rsv+0x70/0xc0 [btrfs]
        Code: 48 83 bb b0 03 00 00 00 (...)
        RSP: 0018:ffffb270826bbdd8 EFLAGS: 00010206
        RAX: 000000000033c000 RBX: ffff947ed73e4000 RCX: 0000000000000000
        RDX: 0000000000000001 RSI: ffffffffc0b0d8c1 RDI: 00000000ffffffff
        RBP: ffff947ebc8b7000 R08: 0000000000000001 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000001 R12: ffff947ed73e4110
        R13: ffff947ed73e5278 R14: dead000000000122 R15: dead000000000100
        FS:  00007f15edfea840(0000) GS:ffff9481aca00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000561a79f76e20 CR3: 0000000138f68006 CR4: 00000000003706e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         btrfs_free_block_groups+0x24c/0x2f0 [btrfs]
         close_ctree+0x2ba/0x2fa [btrfs]
         generic_shutdown_super+0x6c/0x100
         kill_anon_super+0x14/0x30
         btrfs_kill_super+0x12/0x20 [btrfs]
         deactivate_locked_super+0x31/0x70
         cleanup_mnt+0x100/0x160
         task_work_run+0x68/0xb0
         exit_to_user_mode_prepare+0x1bb/0x1c0
         syscall_exit_to_user_mode+0x4b/0x260
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f15ee221ee7
        Code: ff 0b 00 f7 d8 64 89 01 (...)
        RSP: 002b:00007ffe9470f0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
        RAX: 0000000000000000 RBX: 00007f15ee347264 RCX: 00007f15ee221ee7
        RDX: ffffffffffffff78 RSI: 0000000000000000 RDI: 000056169701d000
        RBP: 0000561697018a30 R08: 0000000000000000 R09: 00007f15ee2e2be0
        R10: 000056169701efe0 R11: 0000000000000246 R12: 0000000000000000
        R13: 000056169701d000 R14: 0000561697018b40 R15: 0000561697018c60
        irq event stamp: 0
        hardirqs last  enabled at (0): [<0000000000000000>] 0x0
        hardirqs last disabled at (0): [<ffffffff8bcae560>] copy_process+0x8a0/0x1d70
        softirqs last  enabled at (0): [<ffffffff8bcae560>] copy_process+0x8a0/0x1d70
        softirqs last disabled at (0): [<0000000000000000>] 0x0
        ---[ end trace dd74718fef1ed5c7 ]---
        ------------[ cut here ]------------
        WARNING: CPU: 2 PID: 1729896 at fs/btrfs/block-group.c:3377 btrfs_free_block_groups+0x25d/0x2f0 [btrfs]
        Modules linked in: btrfs dm_snapshot dm_thin_pool (...)
        CPU: 5 PID: 1729896 Comm: umount Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        RIP: 0010:btrfs_free_block_groups+0x25d/0x2f0 [btrfs]
        Code: ad de 49 be 22 01 00 (...)
        RSP: 0018:ffffb270826bbde8 EFLAGS: 00010206
        RAX: ffff947ebeae1d08 RBX: ffff947ed73e4000 RCX: 0000000000000000
        RDX: 0000000000000001 RSI: ffff947e9d823ae8 RDI: 0000000000000246
        RBP: ffff947ebeae1d08 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000001 R12: ffff947ebeae1c00
        R13: ffff947ed73e5278 R14: dead000000000122 R15: dead000000000100
        FS:  00007f15edfea840(0000) GS:ffff9481ad200000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f1475d98ea8 CR3: 0000000138f68005 CR4: 00000000003706e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         close_ctree+0x2ba/0x2fa [btrfs]
         generic_shutdown_super+0x6c/0x100
         kill_anon_super+0x14/0x30
         btrfs_kill_super+0x12/0x20 [btrfs]
         deactivate_locked_super+0x31/0x70
         cleanup_mnt+0x100/0x160
         task_work_run+0x68/0xb0
         exit_to_user_mode_prepare+0x1bb/0x1c0
         syscall_exit_to_user_mode+0x4b/0x260
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f15ee221ee7
        Code: ff 0b 00 f7 d8 64 89 (...)
        RSP: 002b:00007ffe9470f0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
        RAX: 0000000000000000 RBX: 00007f15ee347264 RCX: 00007f15ee221ee7
        RDX: ffffffffffffff78 RSI: 0000000000000000 RDI: 000056169701d000
        RBP: 0000561697018a30 R08: 0000000000000000 R09: 00007f15ee2e2be0
        R10: 000056169701efe0 R11: 0000000000000246 R12: 0000000000000000
        R13: 000056169701d000 R14: 0000561697018b40 R15: 0000561697018c60
        irq event stamp: 0
        hardirqs last  enabled at (0): [<0000000000000000>] 0x0
        hardirqs last disabled at (0): [<ffffffff8bcae560>] copy_process+0x8a0/0x1d70
        softirqs last  enabled at (0): [<ffffffff8bcae560>] copy_process+0x8a0/0x1d70
        softirqs last disabled at (0): [<0000000000000000>] 0x0
        ---[ end trace dd74718fef1ed5c8 ]---
        BTRFS info (device sdc): space_info 4 has 268238848 free, is not full
        BTRFS info (device sdc): space_info total=268435456, used=114688, pinned=0, reserved=16384, may_use=0, readonly=65536
        BTRFS info (device sdc): global_block_rsv: size 0 reserved 0
        BTRFS info (device sdc): trans_block_rsv: size 0 reserved 0
        BTRFS info (device sdc): chunk_block_rsv: size 0 reserved 0
        BTRFS info (device sdc): delayed_block_rsv: size 0 reserved 0
        BTRFS info (device sdc): delayed_refs_rsv: size 524288 reserved 0
      
      And the crash, which only happens when we do not have crc32c hardware
      acceleration, produces the following trace immediately after those
      warnings:
      
        stack segment: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
        CPU: 2 PID: 1749129 Comm: umount Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        RIP: 0010:btrfs_queue_work+0x36/0x190 [btrfs]
        Code: 54 55 53 48 89 f3 (...)
        RSP: 0018:ffffb27082443ae8 EFLAGS: 00010282
        RAX: 0000000000000004 RBX: ffff94810ee9ad90 RCX: 0000000000000000
        RDX: 0000000000000001 RSI: ffff94810ee9ad90 RDI: ffff947ed8ee75a0
        RBP: a56b6b6b6b6b6b6b R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000007 R11: 0000000000000001 R12: ffff947fa9b435a8
        R13: ffff94810ee9ad90 R14: 0000000000000000 R15: ffff947e93dc0000
        FS:  00007f3cfe974840(0000) GS:ffff9481ac600000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f1b42995a70 CR3: 0000000127638003 CR4: 00000000003706e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        Call Trace:
         btrfs_wq_submit_bio+0xb3/0xd0 [btrfs]
         btrfs_submit_metadata_bio+0x44/0xc0 [btrfs]
         submit_one_bio+0x61/0x70 [btrfs]
         btree_write_cache_pages+0x414/0x450 [btrfs]
         ? kobject_put+0x9a/0x1d0
         ? trace_hardirqs_on+0x1b/0xf0
         ? _raw_spin_unlock_irqrestore+0x3c/0x60
         ? free_debug_processing+0x1e1/0x2b0
         do_writepages+0x43/0xe0
         ? lock_acquired+0x199/0x490
         __writeback_single_inode+0x59/0x650
         writeback_single_inode+0xaf/0x120
         write_inode_now+0x94/0xd0
         iput+0x187/0x2b0
         close_ctree+0x2c6/0x2fa [btrfs]
         generic_shutdown_super+0x6c/0x100
         kill_anon_super+0x14/0x30
         btrfs_kill_super+0x12/0x20 [btrfs]
         deactivate_locked_super+0x31/0x70
         cleanup_mnt+0x100/0x160
         task_work_run+0x68/0xb0
         exit_to_user_mode_prepare+0x1bb/0x1c0
         syscall_exit_to_user_mode+0x4b/0x260
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f3cfebabee7
        Code: ff 0b 00 f7 d8 64 89 01 (...)
        RSP: 002b:00007ffc9c9a05f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
        RAX: 0000000000000000 RBX: 00007f3cfecd1264 RCX: 00007f3cfebabee7
        RDX: ffffffffffffff78 RSI: 0000000000000000 RDI: 0000562b6b478000
        RBP: 0000562b6b473a30 R08: 0000000000000000 R09: 00007f3cfec6cbe0
        R10: 0000562b6b479fe0 R11: 0000000000000246 R12: 0000000000000000
        R13: 0000562b6b478000 R14: 0000562b6b473b40 R15: 0000562b6b473c60
        Modules linked in: btrfs dm_snapshot dm_thin_pool (...)
        ---[ end trace dd74718fef1ed5cc ]---
      
      Finally when we remove the btrfs module (rmmod btrfs), there are several
      warnings about objects that were allocated from our slabs but were never
      freed, consequence of the transaction that was never committed and got
      leaked:
      
        =============================================================================
        BUG btrfs_delayed_ref_head (Tainted: G    B   W        ): Objects remaining in btrfs_delayed_ref_head on __kmem_cache_shutdown()
        -----------------------------------------------------------------------------
      
        INFO: Slab 0x0000000094c2ae56 objects=24 used=2 fp=0x000000002bfa2521 flags=0x17fffc000010200
        CPU: 5 PID: 1729921 Comm: rmmod Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x8d/0xb5
         slab_err+0xb7/0xdc
         ? lock_acquired+0x199/0x490
         __kmem_cache_shutdown+0x1ac/0x3c0
         ? lock_release+0x20e/0x4c0
         kmem_cache_destroy+0x55/0x120
         btrfs_delayed_ref_exit+0x11/0x35 [btrfs]
         exit_btrfs_fs+0xa/0x59 [btrfs]
         __x64_sys_delete_module+0x194/0x260
         ? fpregs_assert_state_consistent+0x1e/0x40
         ? exit_to_user_mode_prepare+0x55/0x1c0
         ? trace_hardirqs_on+0x1b/0xf0
         do_syscall_64+0x33/0x80
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f693e305897
        Code: 73 01 c3 48 8b 0d f9 f5 (...)
        RSP: 002b:00007ffcf73eb508 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000559df504f760 RCX: 00007f693e305897
        RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559df504f7c8
        RBP: 00007ffcf73eb568 R08: 0000000000000000 R09: 0000000000000000
        R10: 00007f693e378ac0 R11: 0000000000000206 R12: 00007ffcf73eb740
        R13: 00007ffcf73ec5a6 R14: 0000559df504f2a0 R15: 0000559df504f760
        INFO: Object 0x0000000050cbdd61 @offset=12104
        INFO: Allocated in btrfs_add_delayed_tree_ref+0xbb/0x480 [btrfs] age=1894 cpu=6 pid=1729873
      	__slab_alloc.isra.0+0x109/0x1c0
      	kmem_cache_alloc+0x7bb/0x830
      	btrfs_add_delayed_tree_ref+0xbb/0x480 [btrfs]
      	btrfs_free_tree_block+0x128/0x360 [btrfs]
      	__btrfs_cow_block+0x489/0x5f0 [btrfs]
      	btrfs_cow_block+0xf7/0x220 [btrfs]
      	btrfs_search_slot+0x62a/0xc40 [btrfs]
      	btrfs_del_orphan_item+0x65/0xd0 [btrfs]
      	btrfs_find_orphan_roots+0x1bf/0x200 [btrfs]
      	open_ctree+0x125a/0x18a0 [btrfs]
      	btrfs_mount_root.cold+0x13/0xed [btrfs]
      	legacy_get_tree+0x30/0x60
      	vfs_get_tree+0x28/0xe0
      	fc_mount+0xe/0x40
      	vfs_kern_mount.part.0+0x71/0x90
      	btrfs_mount+0x13b/0x3e0 [btrfs]
        INFO: Freed in __btrfs_run_delayed_refs+0x1117/0x1290 [btrfs] age=4292 cpu=2 pid=1729526
      	kmem_cache_free+0x34c/0x3c0
      	__btrfs_run_delayed_refs+0x1117/0x1290 [btrfs]
      	btrfs_run_delayed_refs+0x81/0x210 [btrfs]
      	commit_cowonly_roots+0xfb/0x300 [btrfs]
      	btrfs_commit_transaction+0x367/0xc40 [btrfs]
      	sync_filesystem+0x74/0x90
      	generic_shutdown_super+0x22/0x100
      	kill_anon_super+0x14/0x30
      	btrfs_kill_super+0x12/0x20 [btrfs]
      	deactivate_locked_super+0x31/0x70
      	cleanup_mnt+0x100/0x160
      	task_work_run+0x68/0xb0
      	exit_to_user_mode_prepare+0x1bb/0x1c0
      	syscall_exit_to_user_mode+0x4b/0x260
      	entry_SYSCALL_64_after_hwframe+0x44/0xa9
        INFO: Object 0x0000000086e9b0ff @offset=12776
        INFO: Allocated in btrfs_add_delayed_tree_ref+0xbb/0x480 [btrfs] age=1900 cpu=6 pid=1729873
      	__slab_alloc.isra.0+0x109/0x1c0
      	kmem_cache_alloc+0x7bb/0x830
      	btrfs_add_delayed_tree_ref+0xbb/0x480 [btrfs]
      	btrfs_alloc_tree_block+0x2bf/0x360 [btrfs]
      	alloc_tree_block_no_bg_flush+0x4f/0x60 [btrfs]
      	__btrfs_cow_block+0x12d/0x5f0 [btrfs]
      	btrfs_cow_block+0xf7/0x220 [btrfs]
      	btrfs_search_slot+0x62a/0xc40 [btrfs]
      	btrfs_del_orphan_item+0x65/0xd0 [btrfs]
      	btrfs_find_orphan_roots+0x1bf/0x200 [btrfs]
      	open_ctree+0x125a/0x18a0 [btrfs]
      	btrfs_mount_root.cold+0x13/0xed [btrfs]
      	legacy_get_tree+0x30/0x60
      	vfs_get_tree+0x28/0xe0
      	fc_mount+0xe/0x40
      	vfs_kern_mount.part.0+0x71/0x90
        INFO: Freed in __btrfs_run_delayed_refs+0x1117/0x1290 [btrfs] age=3141 cpu=6 pid=1729803
      	kmem_cache_free+0x34c/0x3c0
      	__btrfs_run_delayed_refs+0x1117/0x1290 [btrfs]
      	btrfs_run_delayed_refs+0x81/0x210 [btrfs]
      	btrfs_write_dirty_block_groups+0x17d/0x3d0 [btrfs]
      	commit_cowonly_roots+0x248/0x300 [btrfs]
      	btrfs_commit_transaction+0x367/0xc40 [btrfs]
      	close_ctree+0x113/0x2fa [btrfs]
      	generic_shutdown_super+0x6c/0x100
      	kill_anon_super+0x14/0x30
      	btrfs_kill_super+0x12/0x20 [btrfs]
      	deactivate_locked_super+0x31/0x70
      	cleanup_mnt+0x100/0x160
      	task_work_run+0x68/0xb0
      	exit_to_user_mode_prepare+0x1bb/0x1c0
      	syscall_exit_to_user_mode+0x4b/0x260
      	entry_SYSCALL_64_after_hwframe+0x44/0xa9
        kmem_cache_destroy btrfs_delayed_ref_head: Slab cache still has objects
        CPU: 5 PID: 1729921 Comm: rmmod Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x8d/0xb5
         kmem_cache_destroy+0x119/0x120
         btrfs_delayed_ref_exit+0x11/0x35 [btrfs]
         exit_btrfs_fs+0xa/0x59 [btrfs]
         __x64_sys_delete_module+0x194/0x260
         ? fpregs_assert_state_consistent+0x1e/0x40
         ? exit_to_user_mode_prepare+0x55/0x1c0
         ? trace_hardirqs_on+0x1b/0xf0
         do_syscall_64+0x33/0x80
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f693e305897
        Code: 73 01 c3 48 8b 0d f9 f5 0b (...)
        RSP: 002b:00007ffcf73eb508 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000559df504f760 RCX: 00007f693e305897
        RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559df504f7c8
        RBP: 00007ffcf73eb568 R08: 0000000000000000 R09: 0000000000000000
        R10: 00007f693e378ac0 R11: 0000000000000206 R12: 00007ffcf73eb740
        R13: 00007ffcf73ec5a6 R14: 0000559df504f2a0 R15: 0000559df504f760
        =============================================================================
        BUG btrfs_delayed_tree_ref (Tainted: G    B   W        ): Objects remaining in btrfs_delayed_tree_ref on __kmem_cache_shutdown()
        -----------------------------------------------------------------------------
      
        INFO: Slab 0x0000000011f78dc0 objects=37 used=2 fp=0x0000000032d55d91 flags=0x17fffc000010200
        CPU: 3 PID: 1729921 Comm: rmmod Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x8d/0xb5
         slab_err+0xb7/0xdc
         ? lock_acquired+0x199/0x490
         __kmem_cache_shutdown+0x1ac/0x3c0
         ? lock_release+0x20e/0x4c0
         kmem_cache_destroy+0x55/0x120
         btrfs_delayed_ref_exit+0x1d/0x35 [btrfs]
         exit_btrfs_fs+0xa/0x59 [btrfs]
         __x64_sys_delete_module+0x194/0x260
         ? fpregs_assert_state_consistent+0x1e/0x40
         ? exit_to_user_mode_prepare+0x55/0x1c0
         ? trace_hardirqs_on+0x1b/0xf0
         do_syscall_64+0x33/0x80
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f693e305897
        Code: 73 01 c3 48 8b 0d f9 f5 (...)
        RSP: 002b:00007ffcf73eb508 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000559df504f760 RCX: 00007f693e305897
        RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559df504f7c8
        RBP: 00007ffcf73eb568 R08: 0000000000000000 R09: 0000000000000000
        R10: 00007f693e378ac0 R11: 0000000000000206 R12: 00007ffcf73eb740
        R13: 00007ffcf73ec5a6 R14: 0000559df504f2a0 R15: 0000559df504f760
        INFO: Object 0x000000001a340018 @offset=4408
        INFO: Allocated in btrfs_add_delayed_tree_ref+0x9e/0x480 [btrfs] age=1917 cpu=6 pid=1729873
      	__slab_alloc.isra.0+0x109/0x1c0
      	kmem_cache_alloc+0x7bb/0x830
      	btrfs_add_delayed_tree_ref+0x9e/0x480 [btrfs]
      	btrfs_free_tree_block+0x128/0x360 [btrfs]
      	__btrfs_cow_block+0x489/0x5f0 [btrfs]
      	btrfs_cow_block+0xf7/0x220 [btrfs]
      	btrfs_search_slot+0x62a/0xc40 [btrfs]
      	btrfs_del_orphan_item+0x65/0xd0 [btrfs]
      	btrfs_find_orphan_roots+0x1bf/0x200 [btrfs]
      	open_ctree+0x125a/0x18a0 [btrfs]
      	btrfs_mount_root.cold+0x13/0xed [btrfs]
      	legacy_get_tree+0x30/0x60
      	vfs_get_tree+0x28/0xe0
      	fc_mount+0xe/0x40
      	vfs_kern_mount.part.0+0x71/0x90
      	btrfs_mount+0x13b/0x3e0 [btrfs]
        INFO: Freed in __btrfs_run_delayed_refs+0x63d/0x1290 [btrfs] age=4167 cpu=4 pid=1729795
      	kmem_cache_free+0x34c/0x3c0
      	__btrfs_run_delayed_refs+0x63d/0x1290 [btrfs]
      	btrfs_run_delayed_refs+0x81/0x210 [btrfs]
      	btrfs_commit_transaction+0x60/0xc40 [btrfs]
      	create_subvol+0x56a/0x990 [btrfs]
      	btrfs_mksubvol+0x3fb/0x4a0 [btrfs]
      	__btrfs_ioctl_snap_create+0x119/0x1a0 [btrfs]
      	btrfs_ioctl_snap_create+0x58/0x80 [btrfs]
      	btrfs_ioctl+0x1a92/0x36f0 [btrfs]
      	__x64_sys_ioctl+0x83/0xb0
      	do_syscall_64+0x33/0x80
      	entry_SYSCALL_64_after_hwframe+0x44/0xa9
        INFO: Object 0x000000002b46292a @offset=13648
        INFO: Allocated in btrfs_add_delayed_tree_ref+0x9e/0x480 [btrfs] age=1923 cpu=6 pid=1729873
      	__slab_alloc.isra.0+0x109/0x1c0
      	kmem_cache_alloc+0x7bb/0x830
      	btrfs_add_delayed_tree_ref+0x9e/0x480 [btrfs]
      	btrfs_alloc_tree_block+0x2bf/0x360 [btrfs]
      	alloc_tree_block_no_bg_flush+0x4f/0x60 [btrfs]
      	__btrfs_cow_block+0x12d/0x5f0 [btrfs]
      	btrfs_cow_block+0xf7/0x220 [btrfs]
      	btrfs_search_slot+0x62a/0xc40 [btrfs]
      	btrfs_del_orphan_item+0x65/0xd0 [btrfs]
      	btrfs_find_orphan_roots+0x1bf/0x200 [btrfs]
      	open_ctree+0x125a/0x18a0 [btrfs]
      	btrfs_mount_root.cold+0x13/0xed [btrfs]
      	legacy_get_tree+0x30/0x60
      	vfs_get_tree+0x28/0xe0
      	fc_mount+0xe/0x40
      	vfs_kern_mount.part.0+0x71/0x90
        INFO: Freed in __btrfs_run_delayed_refs+0x63d/0x1290 [btrfs] age=3164 cpu=6 pid=1729803
      	kmem_cache_free+0x34c/0x3c0
      	__btrfs_run_delayed_refs+0x63d/0x1290 [btrfs]
      	btrfs_run_delayed_refs+0x81/0x210 [btrfs]
      	commit_cowonly_roots+0xfb/0x300 [btrfs]
      	btrfs_commit_transaction+0x367/0xc40 [btrfs]
      	close_ctree+0x113/0x2fa [btrfs]
      	generic_shutdown_super+0x6c/0x100
      	kill_anon_super+0x14/0x30
      	btrfs_kill_super+0x12/0x20 [btrfs]
      	deactivate_locked_super+0x31/0x70
      	cleanup_mnt+0x100/0x160
      	task_work_run+0x68/0xb0
      	exit_to_user_mode_prepare+0x1bb/0x1c0
      	syscall_exit_to_user_mode+0x4b/0x260
      	entry_SYSCALL_64_after_hwframe+0x44/0xa9
        kmem_cache_destroy btrfs_delayed_tree_ref: Slab cache still has objects
        CPU: 5 PID: 1729921 Comm: rmmod Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x8d/0xb5
         kmem_cache_destroy+0x119/0x120
         btrfs_delayed_ref_exit+0x1d/0x35 [btrfs]
         exit_btrfs_fs+0xa/0x59 [btrfs]
         __x64_sys_delete_module+0x194/0x260
         ? fpregs_assert_state_consistent+0x1e/0x40
         ? exit_to_user_mode_prepare+0x55/0x1c0
         ? trace_hardirqs_on+0x1b/0xf0
         do_syscall_64+0x33/0x80
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f693e305897
        Code: 73 01 c3 48 8b 0d f9 f5 (...)
        RSP: 002b:00007ffcf73eb508 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000559df504f760 RCX: 00007f693e305897
        RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559df504f7c8
        RBP: 00007ffcf73eb568 R08: 0000000000000000 R09: 0000000000000000
        R10: 00007f693e378ac0 R11: 0000000000000206 R12: 00007ffcf73eb740
        R13: 00007ffcf73ec5a6 R14: 0000559df504f2a0 R15: 0000559df504f760
        =============================================================================
        BUG btrfs_delayed_extent_op (Tainted: G    B   W        ): Objects remaining in btrfs_delayed_extent_op on __kmem_cache_shutdown()
        -----------------------------------------------------------------------------
      
        INFO: Slab 0x00000000f145ce2f objects=22 used=1 fp=0x00000000af0f92cf flags=0x17fffc000010200
        CPU: 5 PID: 1729921 Comm: rmmod Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x8d/0xb5
         slab_err+0xb7/0xdc
         ? lock_acquired+0x199/0x490
         __kmem_cache_shutdown+0x1ac/0x3c0
         ? __mutex_unlock_slowpath+0x45/0x2a0
         kmem_cache_destroy+0x55/0x120
         exit_btrfs_fs+0xa/0x59 [btrfs]
         __x64_sys_delete_module+0x194/0x260
         ? fpregs_assert_state_consistent+0x1e/0x40
         ? exit_to_user_mode_prepare+0x55/0x1c0
         ? trace_hardirqs_on+0x1b/0xf0
         do_syscall_64+0x33/0x80
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f693e305897
        Code: 73 01 c3 48 8b 0d f9 f5 (...)
        RSP: 002b:00007ffcf73eb508 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000559df504f760 RCX: 00007f693e305897
        RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559df504f7c8
        RBP: 00007ffcf73eb568 R08: 0000000000000000 R09: 0000000000000000
        R10: 00007f693e378ac0 R11: 0000000000000206 R12: 00007ffcf73eb740
        R13: 00007ffcf73ec5a6 R14: 0000559df504f2a0 R15: 0000559df504f760
        INFO: Object 0x000000004cf95ea8 @offset=6264
        INFO: Allocated in btrfs_alloc_tree_block+0x1e0/0x360 [btrfs] age=1931 cpu=6 pid=1729873
      	__slab_alloc.isra.0+0x109/0x1c0
      	kmem_cache_alloc+0x7bb/0x830
      	btrfs_alloc_tree_block+0x1e0/0x360 [btrfs]
      	alloc_tree_block_no_bg_flush+0x4f/0x60 [btrfs]
      	__btrfs_cow_block+0x12d/0x5f0 [btrfs]
      	btrfs_cow_block+0xf7/0x220 [btrfs]
      	btrfs_search_slot+0x62a/0xc40 [btrfs]
      	btrfs_del_orphan_item+0x65/0xd0 [btrfs]
      	btrfs_find_orphan_roots+0x1bf/0x200 [btrfs]
      	open_ctree+0x125a/0x18a0 [btrfs]
      	btrfs_mount_root.cold+0x13/0xed [btrfs]
      	legacy_get_tree+0x30/0x60
      	vfs_get_tree+0x28/0xe0
      	fc_mount+0xe/0x40
      	vfs_kern_mount.part.0+0x71/0x90
      	btrfs_mount+0x13b/0x3e0 [btrfs]
        INFO: Freed in __btrfs_run_delayed_refs+0xabd/0x1290 [btrfs] age=3173 cpu=6 pid=1729803
      	kmem_cache_free+0x34c/0x3c0
      	__btrfs_run_delayed_refs+0xabd/0x1290 [btrfs]
      	btrfs_run_delayed_refs+0x81/0x210 [btrfs]
      	commit_cowonly_roots+0xfb/0x300 [btrfs]
      	btrfs_commit_transaction+0x367/0xc40 [btrfs]
      	close_ctree+0x113/0x2fa [btrfs]
      	generic_shutdown_super+0x6c/0x100
      	kill_anon_super+0x14/0x30
      	btrfs_kill_super+0x12/0x20 [btrfs]
      	deactivate_locked_super+0x31/0x70
      	cleanup_mnt+0x100/0x160
      	task_work_run+0x68/0xb0
      	exit_to_user_mode_prepare+0x1bb/0x1c0
      	syscall_exit_to_user_mode+0x4b/0x260
      	entry_SYSCALL_64_after_hwframe+0x44/0xa9
        kmem_cache_destroy btrfs_delayed_extent_op: Slab cache still has objects
        CPU: 3 PID: 1729921 Comm: rmmod Tainted: G    B   W         5.10.0-rc4-btrfs-next-73 #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
        Call Trace:
         dump_stack+0x8d/0xb5
         kmem_cache_destroy+0x119/0x120
         exit_btrfs_fs+0xa/0x59 [btrfs]
         __x64_sys_delete_module+0x194/0x260
         ? fpregs_assert_state_consistent+0x1e/0x40
         ? exit_to_user_mode_prepare+0x55/0x1c0
         ? trace_hardirqs_on+0x1b/0xf0
         do_syscall_64+0x33/0x80
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        RIP: 0033:0x7f693e305897
        Code: 73 01 c3 48 8b 0d f9 (...)
        RSP: 002b:00007ffcf73eb508 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000559df504f760 RCX: 00007f693e305897
        RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559df504f7c8
        RBP: 00007ffcf73eb568 R08: 0000000000000000 R09: 0000000000000000
        R10: 00007f693e378ac0 R11: 0000000000000206 R12: 00007ffcf73eb740
        R13: 00007ffcf73ec5a6 R14: 0000559df504f2a0 R15: 0000559df504f760
        BTRFS: state leak: start 30408704 end 30425087 state 1 in tree 1 refs 1
      
      Fix this issue by having the remount path stop the qgroup rescan worker
      when we are remounting RO and teach the rescan worker to stop when a
      remount is in progress. If later a remount in RW mode happens, we are
      already resuming the qgroup rescan worker through the call to
      btrfs_qgroup_rescan_resume(), so we do not need to worry about that.
      Tested-by: NFabian Vogt <fvogt@suse.com>
      Reviewed-by: NJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      bcda164f
    • P
      btrfs: merge critical sections of discard lock in workfn · 14e8bf83
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.9
      commit f89d84b35af33b58ec67c78ac7cc670f57ae2466
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 8fc05859 ]
      
      btrfs_discard_workfn() drops discard_ctl->lock just to take it again in
      a moment in btrfs_discard_schedule_work(). Avoid that and also reuse
      ktime.
      Reviewed-by: NJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      14e8bf83
    • P
      btrfs: fix async discard stall · b37ec365
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.9
      commit 33061bd104cbf6798738cf2f5608f18910d9f9da
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit ea9ed87c ]
      
      Might happen that bg->discard_eligible_time was changed without
      rescheduling, so btrfs_discard_workfn() wakes up earlier than that new
      time, peek_discard_list() returns NULL, and all work halts and goes to
      sleep without further rescheduling even there are block groups to
      discard.
      
      It happens pretty often, but not so visible from the userspace because
      after some time it usually will be kicked off anyway by someone else
      calling btrfs_discard_reschedule_work().
      
      Fix it by continue rescheduling if block group discard lists are not
      empty.
      Reviewed-by: NJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      b37ec365
    • C
      ath11k: qmi: try to allocate a big block of DMA memory first · f6c10846
      Carl Huang 提交于
      stable inclusion
      from stable-5.10.9
      commit d18e04ce283a2aa28815a04d274157d27b1872cf
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit f6f92968 ]
      
      Not all firmware versions support allocating DMA memory in smaller blocks so
      first try to allocate big block of DMA memory for QMI. If the allocation fails,
      let firmware request multiple blocks of DMA memory with smaller size.
      
      This also fixes an unnecessary error message seen during ath11k probe on
      QCA6390:
      
      ath11k_pci 0000:06:00.0: Respond mem req failed, result: 1, err: 0
      ath11k_pci 0000:06:00.0: qmi failed to respond fw mem req:-22
      
      Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
      Signed-off-by: NCarl Huang <cjhuang@codeaurora.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1608127593-15192-1-git-send-email-kvalo@codeaurora.orgSigned-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      f6c10846
    • V
      netfilter: ipset: fixes possible oops in mtype_resize · 5e65ff1a
      Vasily Averin 提交于
      stable inclusion
      from stable-5.10.9
      commit cc77e4a020aa308265a67ed4cb3188100a1787a0
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 2b33d6ff ]
      
      currently mtype_resize() can cause oops
      
              t = ip_set_alloc(htable_size(htable_bits));
              if (!t) {
                      ret = -ENOMEM;
                      goto out;
              }
              t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits));
      
      Increased htable_bits can force htable_size() to return 0.
      In own turn ip_set_alloc(0) returns not 0 but ZERO_SIZE_PTR,
      so follwoing access to t->hregion should trigger an OOPS.
      Signed-off-by: NVasily Averin <vvs@virtuozzo.com>
      Acked-by: NJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      5e65ff1a
    • C
      ath11k: fix crash caused by NULL rx_channel · 52e88e72
      Carl Huang 提交于
      stable inclusion
      from stable-5.10.9
      commit c871060d3eaa64946133bfdce0d3d443741ed811
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 35970106 ]
      
      During connect and disconnect stress test, crashed happened
      because ar->rx_channel is NULL. Fix it by checking whether
      ar->rx_channel is NULL.
      
      Crash stack is as below:
      RIP: 0010:ath11k_dp_rx_h_ppdu+0x110/0x230 [ath11k]
      [ 5028.808963]  ath11k_dp_rx_wbm_err+0x14a/0x360 [ath11k]
      [ 5028.808970]  ath11k_dp_rx_process_wbm_err+0x41c/0x520 [ath11k]
      [ 5028.808978]  ath11k_dp_service_srng+0x25e/0x2d0 [ath11k]
      [ 5028.808982]  ath11k_pci_ext_grp_napi_poll+0x23/0x80 [ath11k_pci]
      [ 5028.808986]  net_rx_action+0x27e/0x400
      [ 5028.808990]  __do_softirq+0xfd/0x2bb
      [ 5028.808993]  irq_exit+0xa6/0xb0
      [ 5028.808995]  do_IRQ+0x56/0xe0
      [ 5028.808997]  common_interrupt+0xf/0xf
      
      Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
      Signed-off-by: NCarl Huang <cjhuang@codeaurora.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20201211055613.9310-1-cjhuang@codeaurora.orgSigned-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      52e88e72
    • C
      ARM: omap2: pmic-cpcap: fix maximum voltage to be consistent with defaults on xt875 · 9b91b09a
      Carl Philipp Klemm 提交于
      stable inclusion
      from stable-5.10.9
      commit 54cfdd65070e51bd4ff55c7cef105f12f9c5d264
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit c0bc969c ]
      
      xt875 comes up with a iva voltage of 1375000 and android runs at this too. fix
      maximum voltage to be consistent with this.
      Signed-off-by: NCarl Philipp Klemm <philipp@uvos.xyz>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      9b91b09a
    • M
      ARC: build: move symlink creation to arch/arc/Makefile to avoid race · 32481d63
      Masahiro Yamada 提交于
      stable inclusion
      from stable-5.10.9
      commit 6169a5cfaacc8294cd360d9b864a212f545bca95
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit c5e6ae56 ]
      
      If you run 'make uImage uImage.gz' with the parallel option, uImage.gz
      will be created by two threads simultaneously.
      
      This is because arch/arc/Makefile does not specify the dependency
      between uImage and uImage.gz. Hence, GNU Make assumes they can be
      built in parallel. One thread descends into arch/arc/boot/ to create
      uImage, and another to create uImage.gz.
      
      Please notice the same log is displayed twice in the following steps:
      
        $ export CROSS_COMPILE=<your-arc-compiler-prefix>
        $ make -s ARCH=arc defconfig
        $ make -j$(nproc) ARCH=arc uImage uImage.gz
        [ snip ]
          LD      vmlinux
          SORTTAB vmlinux
          SYSMAP  System.map
          OBJCOPY arch/arc/boot/vmlinux.bin
          OBJCOPY arch/arc/boot/vmlinux.bin
          GZIP    arch/arc/boot/vmlinux.bin.gz
          GZIP    arch/arc/boot/vmlinux.bin.gz
          UIMAGE  arch/arc/boot/uImage.gz
          UIMAGE  arch/arc/boot/uImage.gz
        Image Name:   Linux-5.10.0-rc4-00003-g62f23044
        Created:      Sun Nov 22 02:52:26 2020
        Image Type:   ARC Linux Kernel Image (gzip compressed)
        Data Size:    2109376 Bytes = 2059.94 KiB = 2.01 MiB
        Load Address: 80000000
        Entry Point:  80004000
          Image arch/arc/boot/uImage is ready
        Image Name:   Linux-5.10.0-rc4-00003-g62f23044
        Created:      Sun Nov 22 02:52:26 2020
        Image Type:   ARC Linux Kernel Image (gzip compressed)
        Data Size:    2815455 Bytes = 2749.47 KiB = 2.69 MiB
        Load Address: 80000000
        Entry Point:  80004000
      
      This is a race between the two threads trying to write to the same file
      arch/arc/boot/uImage.gz. This is a potential problem that can generate
      a broken file.
      
      I fixed a similar problem for ARM by commit 3939f334 ("ARM: 8418/1:
      add boot image dependencies to not generate invalid images").
      
      I highly recommend to avoid such build rules that cause a race condition.
      
      Move the uImage rule to arch/arc/Makefile.
      
      Another strangeness is that arch/arc/boot/Makefile compares the
      timestamps between $(obj)/uImage and $(obj)/uImage.*:
      
        $(obj)/uImage: $(obj)/uImage.$(suffix-y)
                @ln -sf $(notdir $<) $@
                @echo '  Image $@ is ready'
      
      This does not work as expected since $(obj)/uImage is a symlink.
      The symlink should be created in a phony target rule.
      
      I used $(kecho) instead of echo to suppress the message
      'Image arch/arc/boot/uImage is ready' when the -s option is given.
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      32481d63
    • M
      ARC: build: add boot_targets to PHONY · ebcf8f0f
      Masahiro Yamada 提交于
      stable inclusion
      from stable-5.10.9
      commit 443fb88d6dea55e7262923fb9f76213bc089ae45
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 0cfccb3c ]
      
      The top-level boot_targets (uImage and uImage.*) should be phony
      targets. They just let Kbuild descend into arch/arc/boot/ and create
      files there.
      
      If a file exists in the top directory with the same name, the boot
      image will not be created.
      
      You can confirm it by the following steps:
      
        $ export CROSS_COMPILE=<your-arc-compiler-prefix>
        $ make -s ARCH=arc defconfig all   # vmlinux will be built
        $ touch uImage.gz
        $ make ARCH=arc uImage.gz
        CALL    scripts/atomic/check-atomics.sh
        CALL    scripts/checksyscalls.sh
        CHK     include/generated/compile.h
        # arch/arc/boot/uImage.gz is not created
      
      Specify the targets as PHONY to fix this.
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      ebcf8f0f
    • M
      ARC: build: add uImage.lzma to the top-level target · 58f05910
      Masahiro Yamada 提交于
      stable inclusion
      from stable-5.10.9
      commit e1c4b5ff9655d643982a92fdf0d0ef38cf6c7875
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit f2712ec7 ]
      
      arch/arc/boot/Makefile supports uImage.lzma, but you cannot do
      'make uImage.lzma' because the corresponding target is missing
      in arch/arc/Makefile. Add it.
      
      I also changed the assignment operator '+=' to ':=' since this is the
      only place where we expect this variable to be set.
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      58f05910
    • M
      ARC: build: remove non-existing bootpImage from KBUILD_IMAGE · a2d6eb0c
      Masahiro Yamada 提交于
      stable inclusion
      from stable-5.10.9
      commit cf4592a2d740a4eb6f663290fdf77d792bb23834
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 98367209 ]
      
      The deb-pkg builds for ARCH=arc fail.
      
        $ export CROSS_COMPILE=<your-arc-compiler-prefix>
        $ make -s ARCH=arc defconfig
        $ make ARCH=arc bindeb-pkg
        SORTTAB vmlinux
        SYSMAP  System.map
        MODPOST Module.symvers
        make KERNELRELEASE=5.10.0-rc4 ARCH=arc KBUILD_BUILD_VERSION=2 -f ./Makefile intdeb-pkg
        sh ./scripts/package/builddeb
        cp: cannot stat 'arch/arc/boot/bootpImage': No such file or directory
        make[4]: *** [scripts/Makefile.package:87: intdeb-pkg] Error 1
        make[3]: *** [Makefile:1527: intdeb-pkg] Error 2
        make[2]: *** [debian/rules:13: binary-arch] Error 2
        dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
        make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2
        make: *** [Makefile:1527: bindeb-pkg] Error 2
      
      The reason is obvious; arch/arc/Makefile sets $(boot)/bootpImage as
      the default image, but there is no rule to build it.
      
      Remove the meaningless KBUILD_IMAGE assignment so it will fallback
      to the default vmlinux. With this change, you can build the deb package.
      
      I removed the 'bootpImage' target as well. At best, it provides
      'make bootpImage' as an alias of 'make vmlinux', but I do not see
      much sense in doing so.
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: NVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      a2d6eb0c
    • P
      io_uring: drop mm and files after task_work_run · 7f7b2926
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.9
      commit f7f32822a44af3b09a1641d26803a8fea714ff88
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit d434ab6d ]
      
      __io_req_task_submit() run by task_work can set mm and files, but
      io_sq_thread() in some cases, and because __io_sq_thread_acquire_mm()
      and __io_sq_thread_acquire_files() do a simple current->mm/files check
      it may end up submitting IO with mm/files of another task.
      
      We also need to drop it after in the end to drop potentially grabbed
      references to them.
      
      Cc: stable@vger.kernel.org # 5.9+
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      7f7b2926
    • P
      io_uring: don't take files/mm for a dead task · 14447cfe
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.9
      commit a3647cddfee6f5368028ec61b6232d0e7283b652
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 621fadc2 ]
      
      In rare cases a task may be exiting while io_ring_exit_work() trying to
      cancel/wait its requests. It's ok for __io_sq_thread_acquire_mm()
      because of SQPOLL check, but is not for __io_sq_thread_acquire_files().
      Play safe and fail for both of them.
      
      Cc: stable@vger.kernel.org # 5.5+
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      14447cfe
    • T
      ext4: don't leak old mountpoint samples · 795a4225
      Theodore Ts'o 提交于
      stable inclusion
      from stable-5.10.9
      commit 85958f60ebba739e9b762b8d160986aea5d90ea0
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 5a3b590d ]
      
      When the first file is opened, ext4 samples the mountpoint of the
      filesystem in 64 bytes of the super block.  It does so using
      strlcpy(), this means that the remaining bytes in the super block
      string buffer are untouched.  If the mount point before had a longer
      path than the current one, it can be reconstructed.
      
      Consider the case where the fs was mounted to "/media/johnjdeveloper"
      and later to "/".  The super block buffer then contains
      "/\x00edia/johnjdeveloper".
      
      This case was seen in the wild and caused confusion how the name
      of a developer ands up on the super block of a filesystem used
      in production...
      
      Fix this by using strncpy() instead of strlcpy().  The superblock
      field is defined to be a fixed-size char array, and it is already
      marked using __nonstring in fs/ext4/ext4.h.  The consumer of the field
      in e2fsprogs already assumes that in the case of a 64+ byte mount
      path, that s_last_mounted will not be NUL terminated.
      
      Link: https://lore.kernel.org/r/X9ujIOJG/HqMr88R@mit.eduReported-by: NRichard Weinberger <richard@nod.at>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      795a4225
    • S
      btrfs: tree-checker: check if chunk item end overflows · ec2ff8e7
      Su Yue 提交于
      stable inclusion
      from stable-5.10.9
      commit 41b5ec745ccf590c5e9af7d6704df53755c3db44
      bugzilla: 47457
      
      --------------------------------
      
      [ Upstream commit 347fb0cf ]
      
      While mounting a crafted image provided by user, kernel panics due to
      the invalid chunk item whose end is less than start.
      
        [66.387422] loop: module loaded
        [66.389773] loop0: detected capacity change from 262144 to 0
        [66.427708] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12 /dev/loop0 scanned by mount (613)
        [66.431061] BTRFS info (device loop0): disk space caching is enabled
        [66.431078] BTRFS info (device loop0): has skinny extents
        [66.437101] BTRFS error: insert state: end < start 29360127 37748736
        [66.437136] ------------[ cut here ]------------
        [66.437140] WARNING: CPU: 16 PID: 613 at fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
        [66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G           O      5.11.0-rc1-custom #45
        [66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
        [66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
        [66.437420] RSP: 0018:ffff93e5414c3908 EFLAGS: 00010286
        [66.437427] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
        [66.437431] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
        [66.437434] RBP: ffff93e5414c3938 R08: 0000000000000001 R09: 0000000000000001
        [66.437438] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d72aa0
        [66.437441] R13: ffff8ec78bc71628 R14: 0000000000000000 R15: 0000000002400000
        [66.437447] FS:  00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
        [66.437451] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [66.437455] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
        [66.437460] PKRU: 55555554
        [66.437464] Call Trace:
        [66.437475]  set_extent_bit+0x652/0x740 [btrfs]
        [66.437539]  set_extent_bits_nowait+0x1d/0x20 [btrfs]
        [66.437576]  add_extent_mapping+0x1e0/0x2f0 [btrfs]
        [66.437621]  read_one_chunk+0x33c/0x420 [btrfs]
        [66.437674]  btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
        [66.437708]  ? kvm_sched_clock_read+0x18/0x40
        [66.437739]  open_ctree+0xb32/0x1734 [btrfs]
        [66.437781]  ? bdi_register_va+0x1b/0x20
        [66.437788]  ? super_setup_bdi_name+0x79/0xd0
        [66.437810]  btrfs_mount_root.cold+0x12/0xeb [btrfs]
        [66.437854]  ? __kmalloc_track_caller+0x217/0x3b0
        [66.437873]  legacy_get_tree+0x34/0x60
        [66.437880]  vfs_get_tree+0x2d/0xc0
        [66.437888]  vfs_kern_mount.part.0+0x78/0xc0
        [66.437897]  vfs_kern_mount+0x13/0x20
        [66.437902]  btrfs_mount+0x11f/0x3c0 [btrfs]
        [66.437940]  ? kfree+0x5ff/0x670
        [66.437944]  ? __kmalloc_track_caller+0x217/0x3b0
        [66.437962]  legacy_get_tree+0x34/0x60
        [66.437974]  vfs_get_tree+0x2d/0xc0
        [66.437983]  path_mount+0x48c/0xd30
        [66.437998]  __x64_sys_mount+0x108/0x140
        [66.438011]  do_syscall_64+0x38/0x50
        [66.438018]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
        [66.438023] RIP: 0033:0x7f0138827f6e
        [66.438033] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
        [66.438040] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
        [66.438044] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
        [66.438047] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
        [66.438050] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
        [66.438054] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
        [66.438078] irq event stamp: 18169
        [66.438082] hardirqs last  enabled at (18175): [<ffffffffb81154bf>] console_unlock+0x4ff/0x5f0
        [66.438088] hardirqs last disabled at (18180): [<ffffffffb8115427>] console_unlock+0x467/0x5f0
        [66.438092] softirqs last  enabled at (16910): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
        [66.438097] softirqs last disabled at (16905): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
        [66.438103] ---[ end trace e114b111db64298b ]---
        [66.438107] BTRFS error: found node 12582912 29360127 on insert of 37748736 29360127
        [66.438127] BTRFS critical: panic in extent_io_tree_panic:679: locking error: extent tree was modified by another thread while locked (errno=-17 Object already exists)
        [66.441069] ------------[ cut here ]------------
        [66.441072] kernel BUG at fs/btrfs/extent_io.c:679!
        [66.442064] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
        [66.443018] CPU: 16 PID: 613 Comm: mount Tainted: G        W  O      5.11.0-rc1-custom #45
        [66.444538] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
        [66.446223] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
        [66.450878] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
        [66.451840] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
        [66.453141] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
        [66.454445] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
        [66.455743] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
        [66.457055] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
        [66.458356] FS:  00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
        [66.459841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [66.460895] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
        [66.462196] PKRU: 55555554
        [66.462692] Call Trace:
        [66.463139]  set_extent_bit.cold+0x30/0x98 [btrfs]
        [66.464049]  set_extent_bits_nowait+0x1d/0x20 [btrfs]
        [66.490466]  add_extent_mapping+0x1e0/0x2f0 [btrfs]
        [66.514097]  read_one_chunk+0x33c/0x420 [btrfs]
        [66.534976]  btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
        [66.555718]  ? kvm_sched_clock_read+0x18/0x40
        [66.575758]  open_ctree+0xb32/0x1734 [btrfs]
        [66.595272]  ? bdi_register_va+0x1b/0x20
        [66.614638]  ? super_setup_bdi_name+0x79/0xd0
        [66.633809]  btrfs_mount_root.cold+0x12/0xeb [btrfs]
        [66.652938]  ? __kmalloc_track_caller+0x217/0x3b0
        [66.671925]  legacy_get_tree+0x34/0x60
        [66.690300]  vfs_get_tree+0x2d/0xc0
        [66.708221]  vfs_kern_mount.part.0+0x78/0xc0
        [66.725808]  vfs_kern_mount+0x13/0x20
        [66.742730]  btrfs_mount+0x11f/0x3c0 [btrfs]
        [66.759350]  ? kfree+0x5ff/0x670
        [66.775441]  ? __kmalloc_track_caller+0x217/0x3b0
        [66.791750]  legacy_get_tree+0x34/0x60
        [66.807494]  vfs_get_tree+0x2d/0xc0
        [66.823349]  path_mount+0x48c/0xd30
        [66.838753]  __x64_sys_mount+0x108/0x140
        [66.854412]  do_syscall_64+0x38/0x50
        [66.869673]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
        [66.885093] RIP: 0033:0x7f0138827f6e
        [66.945613] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
        [66.977214] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
        [66.994266] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
        [67.011544] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
        [67.028836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
        [67.045812] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
        [67.216138] ---[ end trace e114b111db64298c ]---
        [67.237089] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
        [67.325317] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
        [67.347946] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
        [67.371343] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
        [67.394757] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
        [67.418409] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
        [67.441906] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
        [67.465436] FS:  00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
        [67.511660] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [67.535047] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
        [67.558449] PKRU: 55555554
        [67.581146] note: mount[613] exited with preempt_count 2
      
      The image has a chunk item which has a logical start 37748736 and length
      18446744073701163008 (-8M). The calculated end 29360127 overflows.
      EEXIST was caught by insert_state() because of the duplicate end and
      extent_io_tree_panic() was called.
      
      Add overflow check of chunk item end to tree checker so it can be
      detected early at mount time.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
      CC: stable@vger.kernel.org # 4.19+
      Reviewed-by: NAnand Jain <anand.jain@oracle.com>
      Signed-off-by: NSu Yue <l@damenly.su>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      ec2ff8e7
    • L
      r8152: Add Lenovo Powered USB-C Travel Hub · e79707f5
      Leon Schuermann 提交于
      stable inclusion
      from stable-5.10.9
      commit 85905240bf79f42814c37cc81a7d05c616133e75
      bugzilla: 47457
      
      --------------------------------
      
      commit cb82a549 upstream.
      
      This USB-C Hub (17ef:721e) based on the Realtek RTL8153B chip used to
      use the cdc_ether driver. However, using this driver, with the system
      suspended the device constantly sends pause-frames as soon as the
      receive buffer fills up. This causes issues with other devices, where
      some Ethernet switches stop forwarding packets altogether.
      
      Using the Realtek driver (r8152) fixes this issue. Pause frames are no
      longer sent while the host system is suspended.
      Signed-off-by: NLeon Schuermann <leon@is.currently.online>
      Tested-by: NLeon Schuermann <leon@is.currently.online>
      Link: https://lore.kernel.org/r/20210111190312.12589-2-leon@is.currently.onlineSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      e79707f5
    • V
      stmmac: intel: change all EHL/TGL to auto detect phy addr · 08702aec
      Voon Weifeng 提交于
      stable inclusion
      from stable-5.10.9
      commit 53e976bb07081324aa6d8d35bc78e09e00e56b6a
      bugzilla: 47457
      
      --------------------------------
      
      commit bff6f1db upstream.
      
      Set all EHL/TGL phy_addr to -1 so that the driver will automatically
      detect it at run-time by probing all the possible 32 addresses.
      Signed-off-by: NVoon Weifeng <weifeng.voon@intel.com>
      Signed-off-by: NWong Vee Khee <vee.khee.wong@intel.com>
      Link: https://lore.kernel.org/r/20201106094341.4241-1-vee.khee.wong@intel.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      08702aec
    • I
      dm crypt: defer decryption to a tasklet if interrupts disabled · e028eea3
      Ignat Korchagin 提交于
      stable inclusion
      from stable-5.10.9
      commit 7c5b2049caadbaa4a30ccafc1a9817c12bb3ff98
      bugzilla: 47457
      
      --------------------------------
      
      commit c87a95dc upstream.
      
      On some specific hardware on early boot we occasionally get:
      
      [ 1193.920255][    T0] BUG: sleeping function called from invalid context at mm/mempool.c:381
      [ 1193.936616][    T0] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/69
      [ 1193.953233][    T0] no locks held by swapper/69/0.
      [ 1193.965871][    T0] irq event stamp: 575062
      [ 1193.977724][    T0] hardirqs last  enabled at (575061): [<ffffffffab73f662>] tick_nohz_idle_exit+0xe2/0x3e0
      [ 1194.002762][    T0] hardirqs last disabled at (575062): [<ffffffffab74e8af>] flush_smp_call_function_from_idle+0x4f/0x80
      [ 1194.029035][    T0] softirqs last  enabled at (575050): [<ffffffffad600fd2>] asm_call_irq_on_stack+0x12/0x20
      [ 1194.054227][    T0] softirqs last disabled at (575043): [<ffffffffad600fd2>] asm_call_irq_on_stack+0x12/0x20
      [ 1194.079389][    T0] CPU: 69 PID: 0 Comm: swapper/69 Not tainted 5.10.6-cloudflare-kasan-2021.1.4-dev #1
      [ 1194.104103][    T0] Hardware name: NULL R162-Z12-CD/MZ12-HD4-CD, BIOS R10 06/04/2020
      [ 1194.119591][    T0] Call Trace:
      [ 1194.130233][    T0]  dump_stack+0x9a/0xcc
      [ 1194.141617][    T0]  ___might_sleep.cold+0x180/0x1b0
      [ 1194.153825][    T0]  mempool_alloc+0x16b/0x300
      [ 1194.165313][    T0]  ? remove_element+0x160/0x160
      [ 1194.176961][    T0]  ? blk_mq_end_request+0x4b/0x490
      [ 1194.188778][    T0]  crypt_convert+0x27f6/0x45f0 [dm_crypt]
      [ 1194.201024][    T0]  ? rcu_read_lock_sched_held+0x3f/0x70
      [ 1194.212906][    T0]  ? module_assert_mutex_or_preempt+0x3e/0x70
      [ 1194.225318][    T0]  ? __module_address.part.0+0x1b/0x3a0
      [ 1194.237212][    T0]  ? is_kernel_percpu_address+0x5b/0x190
      [ 1194.249238][    T0]  ? crypt_iv_tcw_ctr+0x4a0/0x4a0 [dm_crypt]
      [ 1194.261593][    T0]  ? is_module_address+0x25/0x40
      [ 1194.272905][    T0]  ? static_obj+0x8a/0xc0
      [ 1194.283582][    T0]  ? lockdep_init_map_waits+0x26a/0x700
      [ 1194.295570][    T0]  ? __raw_spin_lock_init+0x39/0x110
      [ 1194.307330][    T0]  kcryptd_crypt_read_convert+0x31c/0x560 [dm_crypt]
      [ 1194.320496][    T0]  ? kcryptd_queue_crypt+0x1be/0x380 [dm_crypt]
      [ 1194.333203][    T0]  blk_update_request+0x6d7/0x1500
      [ 1194.344841][    T0]  ? blk_mq_trigger_softirq+0x190/0x190
      [ 1194.356831][    T0]  blk_mq_end_request+0x4b/0x490
      [ 1194.367994][    T0]  ? blk_mq_trigger_softirq+0x190/0x190
      [ 1194.379693][    T0]  flush_smp_call_function_queue+0x24b/0x560
      [ 1194.391847][    T0]  flush_smp_call_function_from_idle+0x59/0x80
      [ 1194.403969][    T0]  do_idle+0x287/0x450
      [ 1194.413891][    T0]  ? arch_cpu_idle_exit+0x40/0x40
      [ 1194.424716][    T0]  ? lockdep_hardirqs_on_prepare+0x286/0x3f0
      [ 1194.436399][    T0]  ? _raw_spin_unlock_irqrestore+0x39/0x40
      [ 1194.447759][    T0]  cpu_startup_entry+0x19/0x20
      [ 1194.458038][    T0]  secondary_startup_64_no_verify+0xb0/0xbb
      
      IO completion can be queued to a different CPU by the block subsystem as a "call
      single function/data". The CPU may run these routines from the idle task, but it
      does so with interrupts disabled.
      
      It is not a good idea to do decryption with irqs disabled even in an idle task
      context, so just defer it to a tasklet (as is done with requests from hard irqs).
      
      Fixes: 39d42fa9 ("dm crypt: add flags to optionally bypass kcryptd workqueues")
      Cc: stable@vger.kernel.org # v5.9+
      Signed-off-by: NIgnat Korchagin <ignat@cloudflare.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      e028eea3
    • I
      dm crypt: do not call bio_endio() from the dm-crypt tasklet · a70679af
      Ignat Korchagin 提交于
      stable inclusion
      from stable-5.10.9
      commit fe40f6a6309fd4bbfd8290cc1ff517aaf1ac5abe
      bugzilla: 47457
      
      --------------------------------
      
      commit 8e14f610 upstream.
      
      Sometimes, when dm-crypt executes decryption in a tasklet, we may get
      "BUG: KASAN: use-after-free in tasklet_action_common.constprop..."
      with a kasan-enabled kernel.
      
      When the decryption fully completes in the tasklet, dm-crypt will call
      bio_endio(), which in turn will call clone_endio() from dm.c core code. That
      function frees the resources associated with the bio, including per bio private
      structures. For dm-crypt it will free the current struct dm_crypt_io, which
      contains our tasklet object, causing use-after-free, when the tasklet is being
      dequeued by the kernel.
      
      To avoid this, do not call bio_endio() from the current tasklet context, but
      delay its execution to the dm-crypt IO workqueue.
      
      Fixes: 39d42fa9 ("dm crypt: add flags to optionally bypass kcryptd workqueues")
      Cc: <stable@vger.kernel.org> # v5.9+
      Signed-off-by: NIgnat Korchagin <ignat@cloudflare.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      a70679af